The National Security Agency (NSA) is the font of information security wisdom for the US defense and intelligence communities. But apparently, the NSA's own network security is so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency's internal networks. That administrator was Edward Snowden.

Under Department of Defense (DOD) Directive 8500.2, the director of the NSA, Gen. Keith Alexander, is tasked with approving all the cryptographic hardware and software used by the DOD. The NSA also provides "information assurance" and information system security engineering services to DOD branches and agencies. And along with the National Institute of Standards and Technology, the NSA maintains the master guide for DOD information security systems: the Information Assurance Technical Framework (IATF).

But in what appears to be a case of "do as I say, not as I do," the NSA's internal IT security schemes allowed Snowden, a contractor sysadmin, to pull off a classic insider attack on the agency. An investigation by NBC found that Snowden had used the digital identities of several upper-level NSA officials to log into NSAnet, the agency's intranet—giving him access to data far beyond the needs of a lowly system administrator.

Attack of the superuser

The systems accessed by Snowden limit access by user role, so he could not have used his own credentials on them without overriding access controls. Officials familiar with the case told NBC that Snowden had obtained the "profiles" of a number of NSA employees that have been identified through forensic examination of logs, finding periods when the employees were traveling but their accounts were still used to access the intranet. If Snowden used administrative privileges to reset their passwords, failed logins might have flagged a problem—but they might have simply been shrugged off as passwords forgotten over vacation.

In order to pull this off without raising alarms, Snowden would have needed access to the full credentials of the users whose identities he borrowed. He would have needed to somehow either gain access to the public key infrastructure (PKI) keys found in their user authentication or he would have needed to override multi-factor authentication to gain access to the systems. He also would have needed to avoid detection by audit logs in making those changes (or delete the record of changes after the fact). He managed to do all of these things, download the content, and get it past the NSA's physical security.

Some or all of this trouble could have been avoided if the NSA had followed its own playbook a bit more closely and used administrative and security best practices that are common across government, the financial industry, and other networks where access control auditing and the non-repudiation of data are mandated by laws, regulations, and the nature of the business. Giving an administrator the ability to gain access to user credentials—and the log systems that monitor changes to those credentials—is a classic bad move in network security. As Oracle points out in its documentation for its Enterprise Manager administration tool, "Giving the same level of access to all systems to all administrators is dangerous." In most sensitive enterprise systems, administrators' access powers are limited to very specific roles to prevent giving them the power to compromise multiple systems, making it more difficult for an insider to attack systems and cover his or her tracks.

In the wake of the Snowden breach, Gen. Alexander announced that the NSA would implement two-person administrative requirements; that's a measure that's been recommended by the IATF for over a decade. "Limits can be placed on each individual’s authorized privileges," the IATF says. "The application and the security features it provides can also partly counter these threats with features such as audit, two-person administrative requirements, and covert access prevention and detection." Covert access prevention and detection would include monitoring login locations and watching for attempts to get at data from ways other than through the approved front-end (such as trying to pull directly from a disk directory instead of going through the intranet server).

Networks classified as secret and above at the DOD are supposed to be protected by layers of intrusion detection and automated auditing systems. Security event information management (SEIM) systems and other internal network monitoring tools can be configured to catch log events that human eyes might miss—like a user from Fort Meade logging in unexpectedly from a station in Hawaii. A number of SEIM systems are used by organizations within the DOD for security auditing.

But based on statements by Gen. Alexander and reports about the breach, it appears that the NSA—the agency responsible for monitoring the networks of the world—didn't have a great deal of automated monitoring inside its own firewalls. Instead of using automated systems, the NSA apparently depends on an army of system administrators for its internal defenses—administrators like Edward Snowden. With masses of log data to check through, Snowden likely slipped past the eyes of other administrators or managed to delete or alter log records before they raised suspicion.

The NSA reportedly still doesn't know the extent of what Snowden extracted from the agency's intranet, and investigators are poring over access logs to try to find conflicts that would indicate which users' accounts Snowden used. Given the apparent superuser powers Snowden was able to wield—and the apparent lack of insider threat protection the agency had in place—they may never fully know.

172 Reader Comments

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

I'm glad that our security apparatus has 'struck the right balance' between privacy and security and is handling all of our data in a way that makes it extraordinarily unlikely to fall into the wrong hands.

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

Yup, I've got to call BS. They're trying to set him up as 'The Bad Guy'

I certainly have much less respect for the guy now. Still believe we needed to know what he has shared, but don't support the methodology at all.

Well, he just keeps exposing things that are wrong. That he was able to do this shows a certain amount of incompetence in the NSA's policies and procedures. We'd have no idea how shoddy the security is that protects *our* data otherwise.

Unless you think the NSA would have just decided to randomly audit itself and fix all this...

Morally, he's stealing documents either way, so I don't see why the UID used to do so really matters.

This would explain much of the fury of why the government is going after Snowden so vigorously: they don't know what information he actually has. At best it appears that they have an idea of his reach in the NSA's network and it was quite vast. There in lies the danger: Snowden likely had access to genuine state secrets that do put lives at risk if that information became public. If Snowden copied that data is another matter and the only one who knows for certain if that had happened is Snowden himself it seems.

The systems accessed by Snowden limit access by user role, so he could not have used his own credentials on them without overriding access controls.

This actually goes against the impression I got from earlier coverage, where Snowden seemed to imply that the information he accessed was something anybody in his position could do as a matter of course; indeed, what they were expected to do on the job, but only as directed.I was under the impression that the only thing required for a contractor to abuse their access like he did would be lax supervision over whose information he was accessing and why, rather than actually cracking the system with swiped login credentials.

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

Not sure if it will help, as Hollywood has been feeding us with the idea of guys using less than savory means to serve the greater good.

I certainly have much less respect for the guy now. Still believe we needed to know what he has shared, but don't support the methodology at all.

I guess it would be much better if someone who isn't Edward Snowden does the exact same thing, but instead of telling the entire world simply stays quiet and sells all the information to a real enemy of the US?

For all the bad things being said about the NSA, the worst in my mind is that they were tasked with untold billions fo dollars to 'protect the US Constitution', but instead let one contractor waltz in and simply take all this top-secret information. So they suck up our tax money, spy on us, abuse the Constitution, lie about it, and on top of that are incompetent at their own line of work.

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

Unless they've become more comfortable with being painted as utterly incompetent, I can't imagine they would falsely reveal something like this. If they were trying to paint him as the bad guy it'd be better to omit the parts about how archaic their own security measures are. It's possible, but unlikely. There are better ways to spin things if that was their goal.

I certainly have much less respect for the guy now. Still believe we needed to know what he has shared, but don't support the methodology at all.

Not sure why the methods used even matter. Snowden already said he took the job to deliberately do what he did. I think he crossed the morality line right there.

I still admire the guy for sticking to his principles. If I was earning $120k a year doing basic sysadmin work in Hawaii, I could give a shit what the government is up to.

I haven't followed extremely closely, so I did not know that he took the job with the intention in mind. I agree, that crosses pretty much the same line.

That said, I certainly do believe that the methods do matter. Things aren't black and white. If he killed some admin's children to get data to leak, you'd probably be thinking the method mattered too. Extreme example, but point remains.

You think the NSA is incompetent for not following basic security policies? You ought to try the IRS.

If the IRS went after its own employees with the same zeal it goes after taxpayers they would be all in prison.

"Oh, you didn't give anyone a receipt for the 1.5 billion you got from Congress last year to purchase equipment? What do you mean it wasn't your responsibility. Well, you sure must be able to provide some evidence of the spending... some paper trail... You don't? Well, for starters we'll have to put a lien on this government building till this matter is resolved".

My apologies for pulling a Clint Eastwood empty-chair-dialogue on this most serious issue, on this most serious forum.

Clearly trying to make him into bad guy. They should know what he had access to from the start, it would be clear from the first leak if he hacked into someone else's account. This is another terror alert for their own failures, just as shutting down embassies.

Snowden was trawling their Intranet and they are poring over the access logs.

I'd use the corrections form, but it's a pain in the arse to do on a phone.

Use of "troll" here is fine:

troll 2 |trōl|verb1 [ no obj. ] fish by trailing a baited line along behind a boat: we trolled for mackerel.• search for something: a group of companies trolling for partnership opportunities | [ with obj. ] : I spent tonight trolling the Internet for expensive lighting gear.

... finding periods when the employees were traveling but their accounts were still used to access the intranet ...

Can't quite make up my mind whether to wet myself laughing or whether to quietly sit in the corner and weep for a bit, but I sure as hell am glad it's these people who've been tasked with keeping us safe.

I certainly have much less respect for the guy now. Still believe we needed to know what he has shared, but don't support the methodology at all.

Not sure why the methods used even matter. Snowden already said he took the job to deliberately do what he did. I think he crossed the morality line right there.

I still admire the guy for sticking to his principles. If I was earning $120k a year doing basic sysadmin work in Hawaii, I could give a shit what the government is up to.

The secrets he had access too are worth far more than $120k/year. Until he proves that he has not sold anything, and does not plan on selling anything, we will not know that he hasn't or won't cash in.

The only facts that we have is that he took the job with Booze Allen for the purpose of stealing information, that he used stolen credentials to get in, that he ran to China and Russia, and that the information he revealed about PRISM details domestic spying operations.

Let's try to stay out of the realm of assumptions and stick to facts.

That's the stupidest comment ever in any Snowden topic here on Ars. And I've seen plenty of stupid comments.

If he was going to sell these secrets he wouldn't have made them public by talking to the press, or announced his name and prior employment (NSA) to the entire world.

If his intention was to sell to the foreign power, no one would have ever known he did it unless the recipient had a leak back to the US govt.

This guy walked away from a high paying job in HAWAII, and a brand new apartment, and a ballerina girlfriend, to expose illegal activity by the US government. He's a fricken hero.

Methinks the barn is empty at this point. I have a sneaking suspicion that Snowden also replaced the stock drives in his laptops with higher capacity units. Several terabytes would pretty much scrape everything the NSA has In terms of policy, plans and capabilities.

Heads are definitely going to roll over this. They probably already are. The only question is; how far up the chain is the bloodletting going to go? Somehow I don't think there's a; "the buck stops here" culture at the NSA. People are probably occupied full-time right now. ...covering their butts with renewed vigor after this latest little tidbit went public.

With the exception of Alexander. I doubt seriously he's going to be the one to fall on his sword.

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

Unless they've become more comfortable with being painted as utterly incompetent, I can't imagine they would falsely reveal something like this. If they were trying to paint him as the bad guy it'd be better to omit the parts about how archaic their own security measures are. It's possible, but unlikely. There are better ways to spin things if that was their goal.

There certainly might be better ways to spin things, if spin is the real or only goal. But I imagine that they are building a legal case - for which they will need a paper trail. The forensics, if we may generously call their investigative methods that, are important in that regard. Not knowing the original source(s) for the information cited in this article, per NBC's report, means it isn't a sure thing, but I think that building a case against Snowden is probably what lead, indirectly, to this information becoming known.

Justified or not, this sheds some light on the way the government is reacting; documents on an accessible network drive is much different than compromising user-credentials and using them with ulterior motives.

That said, I am debating whether this is just more spin to turn Snowden into 'the bad guy.'

". An investigation by NBC found that Snowden had used the digital identities of several upper-level NSA officials to log into NSAnet, the agency's intranet—giving him access to data far beyond the needs of a lowly system administrator."

Lets see. How did NBC do this investigation?

It found a bunch of people inside NSA, and they leaked "national defense information" to NBC. Which, of course, under Obama, violates the Espionage Act (and probably the Computer Fraud and Abuse Act Espionage Section automatically, since NBC uses computers).

Obama will now have to prosecute his own NSA for leaking, and then name NBC as co-conspirators in the crime of Espionage. Hopefully Brian Williams will not be charged with Aiding the Enemy.

Another interesting note is the use of the phrase "insider threat detection". That's almost a brand name for a certain subsection of IT security theory that is all the latest buzzword craze. Got security problems like Manning or Snowden? Hey, use "insider threat detection" and they will catch them!

The unhappy reality is that, 1. Maybe you should stop violating the constitution and robbing the American people of their human rights and then people wont have to 'leak' about it, and 2. insider threat detection is a joke. It detects when people go to lunch at a funny time, or when they leave too early on friday, then labels them a 'threat' and then you have to pour through these idiotic fucking reports trying to chase down some internal bad guy who doesnt exist.

The major threat has ALWAYS been insiders, and they have almost always been doing it for money. It's not new. It's not unusual. It's actually pretty common. Look at the Espionage prosecutions in the 20th century - its typically some one like Ames or Hanssen, who are just ordinary greedy, animalistic jerks who enjoy screwing their own country and getting rich while doing it. They are not idealistic, they are usually bitter and angry. It's not that hard to catch these people. There were a bunch of old women who were back office staff inside the CIA who knew Ames did it - the only hard part was getting the money and resources to prove it. Not to mention the political will. But they did prove it and they nailed him. And then the agency was, instead of happy for these excellent people having done a great job, was rather embarassed and tried to hush it up. No medals no big ceremony, no handshake from the commander in chief. But still, the guy was nailed, like so many other for-profit spies have been nailed.

On the other hand. If you are running an unethical, immoral, illegal operation inside the government, that exists purely to bilk the taxpayer out of mass quantities of money while providing no apparent value to society nor to security,,,, then there is No Way to stop someone reporting it. Hitler and Stalin learned this the hard way. Until you can monitor every last neural synapse of every living being, you can never stop the fundmanetal human desire to be free and to know right from wrong. The truth will out.

School children in a utopian world would be taught basic logic 101 and then everyone (including children) would realise this is the logical fallacy called, "shoot the messenger." It's an easy way to pull the conversation away from the actual content which should be discussed, but hey, not even adults these days are educated in what should be basic kindergarten fundamentals.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.